From: victim@victimdomain.tldAttached is a ZIP file with a name apparently made up of random numbers, containing a malicious .js script with another random number, such as this one. In this example the script downloads a malicious binary from:
To: victim@victimdomain.tld
Date: 26 July 2016 at 10:27
Subject: Attached Image
**********************************************************************
The information in this email is confidential and may be privileged.
If you are not the intended recipient, please destroy this message
and notify the sender immediately.
**********************************************************************
www.isleofwightcomputerrepairs.talktalk.net/okp987g7v
There will be many other scripts with different download locations and perhaps other binaries. The file downloaded is Locky ransomware with a detection rate of 4/54. The Hybrid Analysis for the dropped file shows it phoning home to:
31.41.47.41/upload/_dispatch.php (Relink Ltd, Russia)
91.234.35.216/upload/_dispatch.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
Recommended blocklist:
31.41.47.41
91.234.35.216
No comments:
Post a Comment